[libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

Guido Günther agx at sigxcpu.org
Wed Jun 7 17:00:56 UTC 2017

On Wed, Jun 07, 2017 at 10:44:59AM -0600, Christian Ehrhardt wrote:
> On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther <agx at sigxcpu.org> wrote:
> > Shouldn't this only be added when ceph is in use?
> > Cheers,
> >  -- Guido
> >
> Yeah it is part of a category of rules where in a perfect world we would
> wirte virt-aa-helper code for each of them.
> In this particular case I think the existance of the following would be the
> trigger:
> <disk type='network'>
> [...]
>     <source protocol="rbd"
> Yet for some cases - like this one - the "opening" we are doing in regard
> to apparmor is quite small and maybe the burden to create (and maintain) it
> in virt-aa-helper is too much.
> So I'd appreciate if that change could be considered as-is - otherwise
> please let me know - I'll then add it to a bunch of issues of the category
> "needs to be done in virt-aa-helper" which I already track.

I was uder the impression that ceph.conf might contain sensitive data
which we might not want to open up to all domains but looking at


this does not seem to be the case so this is probably o.k.
 -- Guido

More information about the libvir-list mailing list